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Abstract When multiple model predictive controllers are implemented on a 
shared controller area network (CAN), their performance may degrade due 
to the variable timing and delays among messages. The priority based real¬ 
time scheduling of messages on the CAN introduces complex timing of events, 
especially when the types and number of messages change at runtime. This 
paper introduces a novel hybrid timing model to make runtime predictions 
on the timing of the messages for a finite time window. Controllers can be 
designed using the optimization algorithms for model predictive control by 
considering the timing as optimization constraints. This timing model allows 
multiple controllers to share a CAN without significant degradation in the 
controller performance. The timing model also provides a convenient way to 
check the schedulability of messages on the CAN at runtime. Simulation results 
demonstrate that the timing model is accurate and computationally efficient 
to meet the needs of real-time implementation. Simulation results also demon¬ 
strate that model predictive controllers designed when considering the timing 
constraints have superior performance than the controllers designed without 
considering the timing constraints. 


1 Introduction 

Modern industrial control applications, such as the automotive control, are 
characterized by the use of shared networks to replace excessive wiring. De¬ 
terministic timing is crucial in time-critical industrial applications, because 
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uncertainty in timing may cause embarrassing, or even life-threatening, sud¬ 
den decreases in systems performance. Real-time networks have been devel¬ 
oped to support networking with deterministic timing, with the control area 
network, or CAN, being the most mature and accepted one |Gmbh 19911 
|Zeng et al. 2010| . A CAN connects a number of nodes that are able to send 
and receive messages. Each message on the CAN is broadcasted to all nodes, 
and only one message can be transmitted at any time. To resolve contention 
among multiple messages, the CAN utilizes a media access control protocol 
called carrier sense multiple access with bitwise arbitration (or CSMA/BA). 
Each message is assigned a unique identifier, which is used as an assigned 
priority when contention occurs. Since each identifier is unique, each message 
has a unique priority. Therefore, when two or more nodes attempt to send 
messages at the same time, the node with the highest priority message will be 
granted access to the CAN to transmit, and the other nodes will need to defer 
their message transmission until the communication link becomes idle, which 
can be detected after receiving a bit Held indicating the end of the message 
being transmitted. The length of each CAN message can be determined up 
to certain accuracy and uncertainties so that the value well approximate the 
real timing and there is no randomness in the mechanism to resolve conflicts. 
Therefore, the timings of message transmission and reception events on CAN 
can be well predicted. 

Using CAN to support networked control systems increases flexibility. How¬ 
ever, most networked control system designs are usually constrained by lim¬ 
ited bandwidth of the communication link, which does not allow message 
transmission at an arbitrarily high rate. The CAN based control systems 
are no exception. When multiple control loops must share access to a com¬ 
mon communication link, the bandwidth must be distributed appropriately 
so that all control loops are stable and all achieve a desired level of per¬ 
formance. Hence, one must design both the controller and the distribution 
of bandwidth to guarantee stability and optimal and robust performance 
|Hespanha et al. 2007[|Zhang et al. 2013| . 

Over the last several decades, hardware and software systems supporting 
the CAN have improved significantly, resulting in very reliable message trans¬ 
mission and timing accuracy. Therefore, the probability of packet drops, and 
the possible randomness in timing caused by clock drift, can be practically 
ignored for controller design. However, since the CSMA/BA used by CAN 
is a contention based protocol, it alone cannot provide sufficient control over 
the distribution of bandwidth among networked controllers. While the timing 
is still deterministic, contention may cause large variations in timing, a phe¬ 
nomenon generally known as jitters (Baruah et al. 1997llCervin et al. 2003] . If 
not handled well, jitters may cause controls to be faulty at unexpected (or 
even life threatening) times. These timing variations cannot be ignored by any 
controller design. But some jitters happen with small probability, and so are 
hard to diagnose [Cervin ct al. 2006] . Since the contention based media access 
protocol is not sufficient to avoid timing variations, a higher level scheduling 
algorithm is often designed to allocate the bandwidth among control loops. 
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In [Anta and Tabuada 2009j , authors discuss the design of self-triggered con¬ 
trollers that can reduce the number of required messages for control systems, 
which can save communication bandwidth for other applications. Also, authors 
of [Marti et al. 2010] propose an optimal strategy to allocate communication 
bandwidth to different control loops implemented on a CAN, and the arti¬ 
cle [Jeon et al. 2001| analyzes the effect of response time on the control per¬ 
formance. However, these methods cannot completely avoid contention. When 
unexpected contention occurs, classical real-time scheduling resolves these con¬ 
tentions by priority based scheduling algorithms |Sha et al. 2004) , such as the 
popular rate monotonic scheduling (or RMS) and earliest deadline first (or 
EDF) algorithms |Liu and Layland 1973| . 

Model predictive controllers, or MPCs, were originally developed for indus¬ 
trial process control [Clarke et al. 1987llLee et al. 1994llRichalet et al. 1978j . 

The success led to a new general approach for controller design that has 
been used in many other applications, including vehicle and robot control 
[Camacho and Bordons Alba 2004l|Grune and Jurgen 2011||Wang 2009| . The 

basic idea of model predictive control is to use a model of the physical system 
to predict future system behavior over a finite time horizon, starting from each 
sampling time where new sensor measurements are available. The control ef¬ 
fort in the finite time horizon is computed by solving an optimization problem. 

At each sampling time, only the first value of the resulting control is applied to 
the plant, and then the entire calculation is repeated at subsequent sampling 
time instants. Model predictive control offers a natural way to incorporate 
state and control constraints |Mayne et al. 2000] to the design. However, it 
requires sufficient online computing resources and computing time. Chemical 
process control, where model predictive control has seen great success over 
many years, allows for both. While other applications, such as the control 
of automobiles or robots, are more constrained in terms of timing and com¬ 
puting resources because of their reliance on (networked) embedded comput¬ 
ers [Leen and Heffernan 20021 . recent advances in embedded processors show 
considerable promise for applying model predictive control in automotive and 
robotic applications as well. 

Effective MPC designs rely on accurate, high fidelity models of the control 
loops. However, the jitters associated with messages on the CAN incur time- 
varying delays into the control loops. Such time-varying delays make it difficult 
to derive a reliable model used by MPC. This challenge may be answered by 
the approach of control-scheduling co-design where a controller and the timing 
of control related events can be jointly determined. Two categories of methods 
exist in the literature: the offline methods and the online methods. 

Offline methods perform optimization at an offline design stage [Chantem et al. 20061 
|Zhang et al. 2008] . Typically, a scheduling algorithm is first determined, and 
then computer simulation is used to generate a sequence of timings of all pos¬ 
sible events under the scheduling algorithm. Optimization techniques can then 
be applied to tune the parameters of the scheduling algorithm and the con¬ 
troller design until a predefined performance criteria is optimized [Arzen et al. 2000] . 
Offline methods are feasible. However, they lead to overly conservative designs, 
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and they are not completely compatible with model predictive control that re¬ 
quires control efforts to be computed online for a finite time window using 
predictions. Online methods for handling jitters involve co-designing a sched¬ 
ule of events and a model predictive control at each sampling time for a finite 
horizon [Henriksson et al. 2002] , which reduce the amount of computation re¬ 
quired compared to offline methods since a shorter time window is concerned. 
Furthermore, the controllers that are designed in such methods are usually 
less conservative than the ones designed with offline methods, because they 
only need to compensate for the worst case delay in a relatively short time 
window. A key requirement for the online approach is a computationally ef¬ 
ficient method to predict the timing of events for the finite horizon used by 
the model predictive control. While timing can be computed by simulations 
for offline methods, such simulations are too expensive for online methods. To 
the best of our knowledge, the existing works do not offer a general method 
for accurate timing prediction on real-time networks. For example, the works 
[Gaid et al. 20061ILiu et al. 20131 obtain a timing prediction from a lookup ta¬ 
ble that is generated offline by computer simulation. In |Zhao et al. 20081 , the 
timing is assumed to be periodic, while [Zhang et al. 2005] models the tim¬ 
ing as a Markov process, where the transition probabilities are assumed to 
be known. These methods all have certain degrees of inaccuracy that must 
be tolerated by a model predictive control design. If a message takes longer 
than expected to transmit, or is perturbed by other messages that were not 
considered at the design stage so that its deadline is missed, then the schedule 
would not adjust for this fault. The work Shi and Zhang 2013| is perhaps the 
first to introduce a deterministic timing model that connects real-time priority 
based scheduling algorithms with model predictive control designs. This tim¬ 
ing model may be leveraged by model predictive control designs to improve 
performance, by better compensating for timing variations, which serves as 
the starting point of the work of this paper. 

This paper develops a novel methodology that focuses on handling the 
timing constraints (e.g. jitters and delays) associated with MPC on CAN. The 
major contributions are summarized as below: 


— Model. We develop a receding horizon timing model for event-triggered 
model predictive control on CAN. Existing real-time scheduling analysis 
of the CAN focuses on modeling time-varying delays as either constant 
values in worst-case scenarios [Tindell and Burns 1994l[Tindell et al. 19951 
IDavis et al. 2007] or stochastic variables obeying certain distribution |Zeng et al. 2010| . 
These results do not provide a process model with sufficient accuracy. More¬ 
over, many control systems nowadays are operating in dynamic and uncer¬ 
tain environments. As a result, the system workload will change accord¬ 
ingly. For instance, some messages on the CAN may need to be removed 
in some cases, while new messages may be added in other cases. This vari¬ 
ability of messages inevitably further increases delay variation in feedback 
control loop. Our model is able to capture the variations of timing caused 
by the changes of number of messages, message length, and priorities at 
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run-time over a finite time window. This is particularly suitable for model 
predictive control. 

— MPC design. We propose an effective design for an event-triggered MPC 
that incorporates both the timing model and the control loop model to find 
the optimal controlling effort under the timing constraints on CAN. Net¬ 
worked model predictive control designs exist for contention based proto¬ 
cols over the Ethernet; see, for example, [Goodwin et al. 2004IImer et ah 20061 
ILiu et al. 2007jLoontang and de Silva 2006|Montcstruque and Antsaklis 2004 

However, the Ethernet is very different from the CAN bus, since it does not 
offer predictable timing. Therefore, these works cannot be applied directly 
to the model predictive control design problem for the CAN bus. Our MPC 
design is triggered by the deterministic timing events on the CAN. We have 
discovered that a state observer is necessary to estimate the states of the 
timing model. An observer with proved convergence is thus incorporated 
into the MPC design. The observer and the event triggered MPC controller 
design have not appeared in previous works. 

— Simulations. We perform simulations to demonstrate that our MPC de¬ 
sign can lead to improved MPC performance. The design is compared to 
MPC designs without the timing model to show the performance improve¬ 
ment. 


To the best of our knowledge, these contributions do not exist in the literatures 
reviewed and have not been previously published. 

The technical content of the paper is organized as follows. Section [2] first 
review the CAN protocol and its message properties. Then a structure for 
MPC is introduced, which formulates the co-design problem studied in this 
paper. This problem motivates the need for an efficient timing model that is 
necessary to enable the co-design. Section [3] then derives the timing model 
that is needed to solve the co-design problem. The timing model consists state 
vectors, selected to represent the status of all messages on the CAN bus, and 
transition rules that determine the values of state vectors over time. Using the 
timing model, one can check for schedulability of all messages at significant 
moments. Not all states in the state vectors are directly observable on a CAN 
bus, Section Q] discusses how to estimate the state vectors in the hybrid timing 
model from measurements collected in each CAN node. We rigorously prove 
that the algorithm used for estimation converges to the true values of the state 
vectors. Section [5] presents the solution of MPC design proposed in this paper. 
The timing model is used to determine controller delays so that the MPC can 
be determined more accurately than using worst case response times. Section 
[G] presents simulations to show the effectiveness of our approach. We demon¬ 
strate that the timing model is at least as accurate as other simulation based 
methods, but significantly reduced computational cost. We also demonstrate 
that the co-designed MPC with timing model achieves better tolerance to dis¬ 
turbances in timing than using worst-case timing. For ease of reading, we have 
summarized all major notations used throughout the paper in Table 1. 
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Table 1: Major Notations in Paper 

CAN Bus Messages 

r n message chain consisting of sensor and control messages 
r* 1 st sub-message of r n , i.e. the sensor message 

2 nd sub-message of r n , i.e. the control message 
C\ transmission duration of r* 
transmission duration of 
l\ time for preparing t* 
time for preparing 
T n sampling interval of r n 
P n priority of r n 
a n sampling instant of r n 

fin time instant when r* finishes transmission 
7 n time instant when finishes transmission 
8 n time delay between 7 n and a n 

MPC Control Design 

x state variable of a physical plant 
y output of a physical plant 

u MPC control signal applied on the physical plant 
J cost function for MPC design 
T p length of MPC prediction horizton 
A reference trajectory that MPC tracks 

Timing Model 

N number of total message chains on the CAN bus 
d n deadline state of a message chain r n 
r n residue state of a message chain r n 
o n delay state of a message chain r n 

D deadline state of all message chains, i.e. D = [d±, • • • , djy] 
R residue state of all message chains, R = [r 1 , • • • , rjy] 

O delay state of all message chains, O = [ 01 , • • • , o^v] 

ID index of the message chain being transmitted on CAN 
Z state vector of the model, i.e. Z = [D, R,0, ID] 

El the timing model 


2 Problem Formulation 

Our main goal is to establish an event-triggered model predictive control design 
approach for real-time networks. An “event” is defined as a significant moment 
that should be accounted for by the controller. For example, each time a sensor 
message finishes transmission, a model predictive controller can be initiated 
to leverage the new information. Event-triggered model predictive control fits 
nicely with the CAN bus, since the CAN hardware can generate hardware 
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interrupts when “end of transmission” events happen. We propose a timing 
model so that whenever the model predictive control is triggered by an event, 
one can predict the timing of future events within a finite time horizon and 
compute control effort accordingly. For example, one can predict when a future 
sensor message will arrive and when the corresponding control effort will be 
applied, and then compute the control effort for that future time. 

Without loss of generality, we make the following technical assumptions 
about message transmission and reception on the CAN bus: 

1. The CAN bus is reliable such that no error occurs in sending and receiving 
messages. 

2. At each node, among all messages that are ready for transmission, the 
message with the highest priority will be sent first. 

These two assumptions are valid in real applications, and have been used in 
many theoretical works related to CAN |Tindell ct al. 1995llDavis et al. 20071 
lAnta and Tabuada 2009) . 



Fig. 1: Multiple Feedback Control Loops Sharing a CAN 


2.1 CAN-based Control System 

Consider a set of feedback control loops designed to share a CAN as illustrated 
in Figure[lJ Each feedback control loop utilizes the CAN to send sampled data 
from sensors to an MPC controller, and to send control commands from the 
MPC controller to actuators. The sensors, MPC controllers, and actuators are 
connected to the CAN and are named as sensor nodes, MPC controller nodes, 
and actuator nodes. We simplify the design so that each feedback control loop 
has one sensor node, one MPC controller node, and one actuator node. This 
is not to be considered as only allowing single-input-single-output systems 
because multiple sensors can be integrated into a sensor node, and multiple 
actuators can be integrated into an actuator node. The following rules are 
imposed by this system: 
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— At the sensor node, a user specified software program samples the state of 
the plants, and then combines sampled data into a single sensor message 
for transmission; 

— At the MPC controller node, upon reception of a sensor message, a user 
specified software program extracts sampled data from the sensor message. 
The node then computes MPC algorithms, and combines the resulting 
control commands into a single control message for transmission; 

— At the actuator node, upon reception of a control message, a user specified 
software program extracts control commands from the control message. 
The node then issues the control on the actuator; 

— All control loops are mutually independent, which means that the sensor 
messages and control messages of one control loop do not rely on messages 
from other loops for computation. 

Therefore, we consider two types of messages related to the control: sensor mes¬ 
sages and actuator messages. The above rules imply a causality constraint 
between sensor and control messages as follows: in each feedback control loop, 
a sensor message must be transmitted before the MPC controller starts com¬ 
puting the control law. A control message can only be transmitted after the 
control law is computed. 


2.2 Message Chains 

For causality in each feedback control loop, one requires that the transmission 
of a sensor message be followed by the computation of the control effort, 
which is then followed by the transmission of a control message. This process 
iteratively repeats. Each iteration of this process, beginning from the sampling 
of sensor and ending at the actuation, is called an instance , and then the 
above process for any n-th feedback control loop is called a message chain 
and denoted by r„. Thus, each message chain t„ is composed of recurring 
instances. Let the indices k = 1,2,... indicate each of the recurring instances 
in r n for the n-th loop i.e. the k- th instance of T n is denoted by T n [k], Figure 
[2] illustrates the timing of a message chain when there is no contention. 
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did 
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T n [k + 1] 


d[fc+i] 


dim] 


C\[k+ 1 ] 


Cl[k+l] 


n 


a n [k] p n [k] 7„[fc] a„[fc+l] f3 n [k+l] 7„[AH-1] a n [k+2] 

Fig. 2: An Example Message Chain r n when No Contention Occurs 


The horizontal line in Figure [5] represents the progression of time. Suppose 
that T n [k] starts at the fc-th sampling instant a n [k]. The instance r n [k] con¬ 
tains two sub-messages, namely, T^[k] and r^[fc], where T^[k] represents the 
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sensor message, and T%[k] represents the control message. Also, /*[&] is the 
amount of time for the user specified software program on the sensor node to 
sample plants and prepare t„[&]; C^[/c] is the transmission duration of r,)[/c]; 
/3 n [k] is the time instant when the transmission of [k] is completed; [£;] is 
the amount of time for the user specified software program on the controller 
node to extract sensor information, compute the model predictive control, and 
prepare r„ [/c]. /„ [/c] can be viewed as the worst case execution time over the fi¬ 
nite time horizon that our timing model applies. We assume that the constant 
value I^[k] approximate its true executing time well; C^[fc] is the transmission 
duration of r„[fc]; 7 „[/c] is the time instant when the transmission of r^[k] is 
completed; and T n [k} is the sampling interval between a n [k\ and a n [k + 1]. 
Then f3 n [k\ represents the time when the sensor message finishes transmission, 
and 7 n [k\ represents the time when the control message finishes transmission. 
Note that the potential randomness and variations in C„ [ k] and C„ [ k ], which 
are caused by the possible bit-stuffing, can be significantly reduced by ef¬ 
fectively encoding the original payload jGianluca et al. 2012] . Even when the 
transmission time is NOT completely deterministic, the values of C^[k] and 
[fc] will provide a good approximation of the actual transmission time. Here 
again we want to emphasize that the timing model applies to a finite time 
horizon only and is updated dynamically as part of the MPC scheme. So the 
small (unexpected) variations in the values of C^[fc] and C^[k] will be toler¬ 
ated by the control. There may also exist some general-purpose messages that 
are not related to the control, but that share the CAN bus with the feed¬ 
back control loops. These general-purpose messages can also be represented 
by message chains. For example, one can let a message chain tj represent a 
general purpose message by choosing J|[fc] = 0 and Cj[k] = 0. The following 
equations are satisfied by the parameters of a message chain when there is no 
contention: 


Pn[k\=a n (k) + I 1 n [k\ + C 1 n [k\ 

7 n[k] = Pn[k} + Il[k ] + Cl[k] 
a n [k+ 1 ] = a n [k] +T n [k] ( 1 ) 

The above equations will not hold when there is contention between mes¬ 
sages. Since only one message can be transmitted on the CAN bus at a time, 
T^[k\ and r%[k\ in T n [k] may not be transmitted immediately after they are 
generated. Instead, they have to compete with other messages for access to 
the CAN bus, under the CSMA/BA arbitration scheme. The priority of T n [k\ 
can be represented by P n [k\. Since each sub-message r^[fc] and r^[k\ in r n [k] 
may have its own priority, we have 

r , I Pn\k 1 whenrKfcl is transmitted , s 

p m _ J nl 1 nl 1 (2) 

1 P^[k} whenr^[fc] is transmitted 

where [k] and P^[/c] represent the priorities (identifier fields) of r^[k] and 
[k ], respectively. We will see in Section [3] that equation |lj will be replaced 
by a timing model which is able to answer the challenge. 
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2.3 MPC Design 

MPC is an advanced control algorithm with increasing popularity in applica¬ 
tions. It iteratively uses a model of the feedback control loop to predict the 
future control strategy over a finite time horizon jRawlings 2000| . However, 
only the first step of the predicted control strategy is implemented. At the 
next step, the process of predictions are repeated again, yielding a new control 
strategy. Such prediction horizon keeps shifting forward as time propagate. 

For the n-th feedback control loop in Figure |T] where n = l,2,...,iV, we 
assume that the plant is an independent, multiple input multiple output, and 
linear time-invariant system 

x n {t) = Ax n (t) -I- Bu n (t) 

Unit) = Cx n {t ), (3) 

where u n {t) is the control command, y n (t ) is the plant output, x n (t ) is the 
plant state, and A, B and C are matrices of proper dimensions. 

CAN based MPC relies on the controller nodes to compute the control 
effort u n ( t ) over a finite time window into the future. This finite time window 
is called the prediction horizon. When a controller node is triggered by the 
end of the transmission of a sensor message in the same feedback control loop, 
the time when the sensor reading is obtained will be used as the start time 
of the prediction horizon. Denoting this start time by to, an estimate x n (to) 
of the state is first obtained by a filtering algorithm. Let the finite prediction 
horizon be [to, to + T p \, where T p is the length of the prediction horizon. The 
goal of the MPC is to find control commands u n (t) that brings the predicted 
plant output y n (t ) as close as possible to a reference trajectory A n (t) for all 
t € [to, to + T p ]. 

A controller is triggered by the end of transmission of sensor messages, 
and an actuator node can only take actions when receiving a control message. 
Hence, each model predictive controller only needs to generate one control 
command for each sensor message received. The resulting control command 
is applied to the plant, and remains constant until the next sensor message 
triggers the controller again. Time delay exists between the moment when the 
sensor takes measurements, and the moment when the actuator implements 
the control command. Therefore, the control command u n (t) in ([3]) must be a 
piecewise constant function 

u n (t)=y n [k\, t € [a n [k\+6 n [k],a n [k + l}+5 n [k+l]) , (4) 

where a n [k] is the k- th sampling instant of the sensor as shown in Figure^ and 
y n [fc] is the optimal control command that is generated by the model predictive 
controller in the sampling interval [a n [fc], a„[fc+l]). Also, S n [k] = "f n [k]—a n [k[ 
is the time delay between the sampling time instant a n [k], and the end time 
' y n [k] of the transmission of the control message, as shown in Figure [2] Let 
u„ represents the piecewise constant control policy, defined by u n (t), where 
t € [to, to + T p ], If one can perform online prediction of S n [k] for all k that fall 
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within the prediction horizon, then the piecewise constant control policy u„ is 
a finite dimensional vector [/z n [l],/x n [ 2 ],/z n [fc],...] for all k that fall within 
the finite prediction horizon [to, to + T p ]. 

A cost function J(x n (fo), u n ) can be defined for the model predictive con¬ 
troller to optimize. One typical example of the cost function [Liu ct al. 2007] 
is 


J(x„(f 0 ),u n ) 

= ft° +Tp {(-M s ) - yn(s)) T Qi(X n (s) - y n (s )) + u„(» T Q 2 u n (s)}ds (5) 

-\-x T (to + T p )Q 3 x(to + Tp), 

where Q i, Q 2 , and Q 3 are positive semidefinite weighting matrices chosen 
by design. The first term in the integral penalizes the difference between the 
future plant output and the reference trajectory during the prediction horizon, 
and the second term is the control penalty. The last term in the cost function 
is the terminal cost that ensures the system is stabilized by the controller. In 
([5]), Vn(t) must be predicted as a function of x n (t) and u n (t) for t G [to, to+T p \ 
through the process model in 0)-0). 

If the delays 5 n [k\ for all tasks, indexed by fc, that falls within the interval 
[to, to + T p ] can be predicted, then the model predictive control design problem 
can be formulated as a optimization problem that needs to compute at every 
k: 


Given x n (to) = x n (to) and S n [k], solve min J(x n (to), u„) ( 6 ) 

U n 

subject to the following constraints: 

u n (t) ew, x n {t) G A, ©a) 

x n (t) = Ax n (t) + Bu n (t), y n (t ) = Cx„(t), and (0b) 

u n {t) = Hn[k], t G [a„[fc]+<5„[fc],a„[fc+l]+(5„[fc+l]) , 0c) 


where 0 a) represents the constraints on the control command and the plant 
states. The sets U and X are assumed to be known. Equations 0b) and 0c) 
represent the physical plant in the process model. The physical plant and the 
CAN timing model are coupled through the delay S n [fc] in 0c). Note that in 
the cost function J(x n {to), u n ), y n (t + t) for r G [0, T p \ must be predicted as 
a function of x n (t) and u n (t + r) for r G [0, T p ] through the process model in 
Equation 0b) and 0c). 

If there was no contention on the CAN, the prediction of the time delays 
5 n [k] would be trivial. In fact, using equation 0), the delay 5 n [k\ = 7 n [k\ — 
a n [k] = I*[k] + C^[k] + In[k] + C^[fc]. In this special case the MPC design 
problem would be the classical problem which would be relatively easy to 
solve. We emphasize here that even in this special case, a continuous time 
MPC may be preferred than the discrete time one since the 5 n [fc] may be 
time-varying. 
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2.4 The Need of a Timing Model 

Real-time scheduling of messages under contention introduces time-varying 
delays S n [k\ in Equation ([ 6 ]c). Since MPC design relies on the process model 
in Equation <[ 6 ]b) and ©c), the accurate prediction of <?„[/;] is important to 
MPC performance. Using the worst case delay would result in poor perfor¬ 
mance. Figure [3] shows an example of MPC performance under either accurate 
or inaccurate prediction of 6 n [k]. The inaccurate prediction of S n [k] is cho¬ 
sen as a constant delay from the worst-case analysis |Tindell and Burns 19941 
ITindell et al. 1995llDavis et al. 2007) and the accurate prediction of S n [k] is 
the actual time-varying delay of S n [k]. The solid line represents the plant out¬ 
put y n (t ) and the dashed line represents the reference trajectory 7 n (t). As we 
can see, using an inaccurate S n [k\ would lead to an unreliable process model, 
which severely degrades the performance of MPC. 



Time-Seconds 

(a) Inaccurate prediction 



Time-Seconds 

(b) Accurate prediction 


Fig. 3: MPC performance under two different predictions of S n [k] 


MPC procedure treats the delay S n [k] as a timing constraint. The accurate 
prediction of S n [k] for messages under contention and priority based schedul¬ 
ing is difficult. To our knowledge, such model does not exist in the previous 
literature. To answer this challenge, our contribution is to derive a timing 
model that is able to predict the timing constraints on the CAN-based control 
systems. 


3 The Timing Model 

Our goal in this section is to derive a timing model for message chains under 
contentions that are resolved via the assigned priorities. This timing model 
generates predictions for a n [k\, /3 n [k \, and "f n [k\ for all n and k for a finite 
length time window into the future, which will replace equation 0 and then 
enable the MPC control design in ©. Using the timing model, all transmission 
events, including the start and the end of all sensor and control messages can 
be inferred. From these timing information we will be able to estimate the 
delays S n [k] that are needed when computing the MPC. 
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Due to the time varying delays under contention, a continuous-time MPC 
design approach is a natural choice over discrete time MPC. To support the 
continuous time MPC, we need to model the scheduled behaviors of message 
chains as a (piecewise) continuous function of t. Therefore, we redefine the 
message chain characteristics in continuous time domain as follows: 

Definition 1 For any message chain r n , an instance T n [k] is active at time t 
if and only if it starts before t and its next instance starts after t, i.e. a n [k] < 
t < a n [k + 1]. At any time t , r n has only one active instance denoted as r n (t), 

i.e. 

if a n [k] < t < a n [k + 1] then T n {t) = T n [k\ (7) 

Definition 2 At any time i, we define r^(t) and r%{t) as the first and second 
sub-messages in r n (t), i.e. 

if a n [k] < t < a n [k + l],then r^(t) = r^[k] and r^{t) = T%[h] (8) 

Based on the above definitions, we can convert the message chain characteris¬ 
tics in Figure [2] into a continuous time description for the active task instance 
T n (t). In(t) and I^(t) are the time needed for preparing r^(t) and C^(t) 

and Cn{t) are the transmission duration of r^(t) and r^(t). T n (t) is the sam¬ 
pling interval of r n (t), and P n {t) is the priority of r n {t). These notations are 
summarized in Table 2. 

Table 2: Characteristics of a message chain r„ 


Tn(t) 

Active instance of r n at time t 


1 st and 2 nd sub-messages in r n (t) 

T n (t ) 

Sampling interval of r n (t) 

Putt) 

Priority of r n (t) 

ciit), cut) 

Transmission duration of t^(£), r%(t) 

iUt), il(t) 

Time for preparing T%(t) 


The parameters listed in Table 2 are not enough to describe the timing 
of message chains on the CAN due to contention. The problem of scheduling 
message chains on a CAN shares some similarity with the problem of task 
scheduling on a processor. Authors of |Zhang ct al. 2013 [ |Shi and Zhang 20131 
|Shi and Zhang 2012| introduced a dynamic timing model for the task schedul¬ 
ing problem on a processor. However, scheduling message chains on a CAN is a 
more complex problem. First, messages on the CAN are not preemptible while 
tasks considered in |Zhang et al. 2013}|Shi and Zhang 2013] are preemptible. 
Moreover, messages on the CAN are subject to causality constraints while 


tasks in |Zhang et al. 2013]jShi and Zhang 2013||Shi and Zhang 2012 are inde¬ 
pendent. Such increased complexity requires significant extensions to the pre¬ 
vious results. We show that the timing model will be a mixed set of continuous¬ 
time differential equations and logic equations that describe the evolutions of 
states that capture the timing. This model can faithfully describe the timing 
of events. 
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3.1 States of the Message Chains 

To model the preempted behaviors among multiple message chains, we intro¬ 
duce some extra parameters called the states for each message chain. 

Definition 3 The deadline d n (t ), for n = 1, 2, • • • ,7V, denotes how long after 
t the next instance of the nth message chain will start. 

Definition 4 The residue r n (t), for n = 1, 2,..., TV, denotes the least remain¬ 
ing time required to finish processing and transmitting the active instance 
T n (t) after time t. 

Definition 5 The delay o n (t), for n = 1,2,...,TV, denotes the time between 
the starting time of r n (t) and the current time t if the active instance t„ ( t) has 
not been fully processed. If the active instance r„(t) has been fully processed 
at a time instant before the current time t, then the value of the delay at time 
t will be the length of the time interval between the starting time of r ra (f) and 
the time instant when r„(f) has been fully processed. 

Definition 6 The index ID(t ) G {1, • • • , TV} is the index of the message chain 
that is being transmitted on the CAN at time t , where ID(t ) ^ 0 implies that 
the active instance t ID (q is being transmitted and ID(t) = 0 implies that no 
message chain is being transmitted. 

To help readers understand these concepts, let us consider the case of a 
message chain without contention as shown in Figure [2] Suppose the current 
time t = f3 n [k]. Then the deadline d n ( t) = a n [k + 1] — t = a n [k] + T n [fc] — /?„ [ k}. 
The residue r n (t) = 7 n [k]-t = lf[k\ + Cf[k], and o n (t) = t - a n [k] = If[k] + 
Cf [fc]. These relationships will be much more complicated under contention. 

We can assemble the states of all message chains at time t into a large 
row vector Z(t) = [D(t), R(t),0(t), ID(t)] where D(t) = ,djv(t)] , 

R(t) = [n(f), ...,rjv(t)] and Off) = [ 01 (f),..., ojv(i)]- Our timing model will 
determine the value of this row vector Z(t) at any time t. 


3.2 Stages of a Message Chain 

The residue r n (t) is a key state that indicates how much time is still needed 
before the active instance r„(t) will be completely processed. Its value always 
starts from d^(t)+C^(t)+I^(t)+C'^(t) and decreases to 0. During this process, 
the active instance r n (t) sequentially goes through seven different stages from 
the starting time to completion. 

— Stage 1: the first sub-message r^(t) is being prepared. At this stage, 
ID{t) ^ n, the residue of r„(t) satisfies that C^(t) + J^(t) + C^(t) < 
r n (t) < I^(t) + Ci{t) + I^(t) + 

— Stage 2: T^(t) is waiting for access to the CAN. At this stage, ID(t) ^ n, 
the residue stays unchanged: r n (t) = C * (f) + If (t) + Cf (t). 
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— Stage 3: T*(i) is being transmitted on the CAN. At this stage, ID(t) = n, 
the residue satisfies that I„(t) + C^(t) < r n (t ) < C*(t) + I^(t) + C%(t). 

— Stage 4: the second sub-message r^(t) is being prepared. At this stage, 
ID{t) ^ n, the residue satisfies that C^(t) < r n (t) < J^(t) + C^(t). 

— Stage 5: r%{t) is waiting for access to the CAN bus. At this stage, ID(t ) ^ 
n, the residue stays unchanged e.g. r n (t) = C^(t). 

— Stage 6: T%(t) transmitting on the CAN bus. At this stage, ID(t) = n, the 
residue satisfies that 0 < r n (t) < C%(t). 

— Stage 7: r^(t) is finished. At this stage, ID(t) ^ n, the residue stays 
unchanged e.g. r n (t) = 0. 

Whenever a new instance of r„ arrives, it will go from Stage 7 back to Stage 
1 and repeat the above process. Note that these stages are for one specific 
message chain. Multiple message chains may stay in different stages at any 
given time. 

Suppose the active instance of message chain r n (t) is marked by the index k. 
The dynamic deadline d n (t) starts from the initial value T n [fc] and continuously 
decreases as time propagates, regardless of which stage the message chain is 
in. Hence we have that 

dn(t) = -1, (9) 

with initial value d n (a n [k ]) = T n [k\. But after the value of d n (t) decreases to 
0, this indicates that a new instance of the message chain arrives. Then the 
message chain goes from Stage 7 back to Stage 1, and d n (t) will jump from 0 
to a new value T n [k + 1]. 

The residue r n (t) starts from the initial value r n (a n [k]) = J*[fc] + C^[k] + 
In[k\ +C^[k\. In Stages 2, 5, and 7, the residue satisfies r n (t) = 0. In Stages 1, 
3, 4, and 6, the residue decreases homogeneously e.g. r n (t) = —1. The value of 
r n (t) will jump from 0 to a new value I * [k + 1] + C* [k + 1] + 1\ [k + 1] + [k + 1] 
when a new instance of message arrives e.g. the message chain goes from Stage 
7 back to Stage 1. 

The delay o n (t) starts from initial value 0 at the starting time ot n [k\ e.g. 
o n (a n [k]) = 0. Whenever the value of the residue is not 0 e.g. r n (t) > 0, the 
delay increases homogeneously as 6 n (t) = 1. In other words, the delay keeps 
increasing at Stages 1-6. The delay o n (t) stops increasing at Stage 7 since the 
active instance of the message chain has been fully processed. When a new 
message instance arrives e.g. the message chain goes from Stage 7 back to 
Stage 1, the delay o n (t) is reset to 0. 

The index ID(t) keeps constant until a change of access to the CAN hap¬ 
pens. Since the CAN only transmits one message at a time, we have the fol¬ 
lowing claim. 

Claim Consider a set of message chains {ti, ■ • ■ , tat}. At any time t, at most 
one message chain from {n,-- - ,tn} can stay at Stage 3 or Stage 6, but 
multiple message chains can stay at other stages at the same time. 
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The massage chain that is in Stage 3 or Stage 6 at the time t will be the 
message indicated by the value of ID(t). On a real CAN implementation, this 
value is known to all message chains due to the broadcasting mechanism used 
by the CAN. When one of the message chains is at Stage 3 or Stage 6, all other 
message chains will remain at Stages 1, 2, 4, 5, or 7. Since our goal is to derive 
a model for the CAN, we need to determine and predict the value of the state 
variable ID[t ) from the priorities P n (t). Let us suppose that a change of access 
to the CAN happens at a time instant to- From the values of the residue, we 
know which stage each message chain is at. Then the message that has access 
to the CAN will be the message with the highest priority among all messages 
that are either at stage 2 or stage 4 at time to- Therefore 

ID(t 0 ) = argmin P*(io). (10) 

{i\ri in Stages 2 or 4, at £ 0 } 

We enforce the convention that if the set {djr, in Stages 2 or 4, at to} is empty, 
then ID (to) = 0. Note that this equation does not hold for all t since the mes¬ 
sages are non-preemptive. Therefore, to complete the timing model, we need 
to pinpoint the time instants when a change of access to the CAN happens. 

As we see the evolution of Z(t) is relatively straightforward within each 
stage. What remains to do is to discover the length of each stage for each 
message chain. The length of Stages 1, 3, 4, and 6 are known due to the 
homogeneous decreasing of the residue r n (t). But the length of Stages 2, 5, 
and 7 can not be directly determined from the residue because it relies on 
knowing which message chain holds the access to the CAN. 


3.3 Significant Moments 

Let the current time be t, suppose the vector Z(t) is completely known. We 
need to predict the value of Z(t+s) at a future time instant t+s. We know that 
the values of Z(t+s) will evolve continuously within each stage. However, since 
the message chain that has access to the CAN will change, and new instance 
of messages will arrive, the values of Z(t + s) will not evolve continuously in 
between different stages, but will rather have jumps. The moments when these 
jumps happen are of more significant value than other time instants. 

Definition 7 At time t, we define the next significant moment as the time 
instant t + S(t ) where the state vector Z{t) = {D(t), R(t),0(t),ID(t)} evolve 
continuously within the time interval [t,t + S(t)), but sees a jump in one of 
the components of Z(t) at time instant t + S(t). 

The state vector { D(t),R(t),0(t),ID(t)} evolves continuously most of time 
except in two situations: (1) a new message accesses the CAN and starts 
transmission, i.e. the message chain transits from Stage 2 to Stage 3 or from 
Stage 5 to Stage 6; and (2) a new instance of a message chain arrives, i.e. 
the message chain transits from Stage 7 to Stage 1. In the first situation, 
ID(t) will have a jump; and in the second situation, components of the vector 
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{D(t), R(t), 0(t)} will have a jump. At the current time t , the value of S(t) is 
the time-interval between t and the first time instant when a jump happens. 


3.3.1 A new message chain gaining access to CAN 

At the current time f, we want to know how long after t a new message will 
gain access to the CAN. Depends on whether the CAN is busy or idle at the 
current time t, we will have four different cases. To simplify the notation, we 
use tib to denote r/D(t) in the following part of this paper, unless otherwise 
specified. 

First, suppose that the CAN bus is busy at time t, i.e. ID{t) ^ 0, which 
implies that t id is currently being transmitted on the CAN. As discussed in 
Section ^. 21 we know that t id at current time t falls into either Stage 3 or Stage 
6 . 

Case 1: r 7D at Stage 3 when the residue r m (t) satisfies the following condition 

+ < r ID (t ) < C} D (t) + Il(t) + Cl(t) (11) 

In this case, r ID will stay within Stage 3 before t} d finishing transmission. Hence 
the next significant moment will happen no later than the moment when the 
transmission finishes. Therefore, S(t) < r ID {t)—[I^ D {t)+C^ D {t)\. 

Case 2: t id at Stage 6, i.e. the residue r ID {t) satisfies the following condition 

0 <r ID (t)<Cl(t) (12) 

In this case, t id will stay within Stage 6 before t, d finishing transmission. No 
other message will gain access to the CAN before t? d finishing transmission. 
Then S(t) < r m (t). 

Based on the above two cases, let us define S\(t) as the following 

Si(t) = r m (t) — [i^ (t) + C%, (t)] sgn(max{0, r m (t) — (i)}). (13) 

Since the CAN can only transmit one message and the transmission is non- 
preemptive, it has to wait at least S\ ( t ) amount of time before a new message 
can access to the CAN. Then the next significant moment for T m (t) will be at 
t + S(t) where S(t) < Si(t). 

Next, we suppose that the CAN is idle at time t, i.e. ID(t) = 0, which 
implies no message is currently being transmitted on the CAN. In other words, 
all message chains are preparing sub-messages at current time t. In this case, 
any message chain r n from {t±, ■ ■ ■ ,tn} falls into either Stage 1, 2, 4, or 5. 
But if there is a message at stage 2 or stage 5 and there is no other messages 
has access to the CAN, then this message will immediately gain access to the 
CAN right at the time t and transits to Stage 3 or Stage 6 and ID(t) ^ 0. 
In these cases S(t) = 0. Therefore, we only need to consider the cases where 
all message chains are either at Stage 1 or Stage 4. Let us consider a message 
chain indexed by n. 
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Case 3: r n is at Stage 1, i.e. the residue r n (t) satisfies the following condition 

<£(*) + I 2 n {t) + C 2 n (t) < r n (t ) < I^it) + Cl{t) + I 2 (t) + C 2 (t ) (14) 

t„ will stay within Stage 1 before r* finishing its preparation. The next signif¬ 
icant moment will happen at least before r„ finishing its preparation. Hence 
the value of S(t) will be no bigger than the remaining preparation time of 
e.g. S(t) < r n (t) - C*(i) - I 2 (t) - C 2 (t). 

Case 4: r n is at Stage 4, i.e. the residue r n (t) satisfies the following condition 

C 2 (t)<r n (t)<I 2 n (t)+C 2 (t) (15) 

In this case, r n will stay within Stage 4 before t 2 finishing preparation. The 
next significant moment will happen at least before t 2 finishing its preparation. 
Hence the value of S(t) will be no bigger than the remaining preparation time 
of t 2 e.g. S(t) < r n (t) - C 2 (t). 

Based on the above two cases, we know that the next significant moment 
will happen at t + S(t) where S(t) should be at most equal to the remaining 
preparation time for any message chain r ra 

S(t) < r n (t)-Cl{t)-[Ci(t)+I 2 (t)\ sgn(max{0, r n (t)—I 2 (t)—C 2 (t)}) (16) 

This argument holds for all tasks in stages 1, 2, 4, or 5. Define ^(t) as 

S 2 (t) = “in {r n (t)-C 2 {t)-[C^{t) + I 2 (t)\ sgn(max{0 ,r n (t)-I 2 (t)-C 2 (t)})} 

(17) 

Therefore, the next significant moment will happen at t + S(t) where S(t) < 
S 2 (t). 

At the significant moments t + S(t) in the four cases above, if the either 
equation (THU) or equation (1171) holds e.g. S(t) = Si(t) for ID(t) ^ 0 or S(t) = 
S 2 (t) for ID{t) = 0, then the values of ID(t + S(t)) will see a jump as 

ID(t + S(t)) = argmin Pj(i + S(t)) (18) 

{i\ri in Stages 2 or 4, at 

If the set (i|Tjat Stages2or4att + 5'(t)} is empty, then ID(t + S(t)) = 0. The 
values of {D(t),R(t),0(t)} will remain unchanged. 

3.3.2 A new instance of message chain arrives 

The states of a message chain will jump discretely whenever a new instance 
of a message arrives. For any message chain r n , a new instance of r n will 
arrive at t + d n (t). Therefore, the earliest next instance of message chains in 
{ti, • • • , tat} will not arrive until t + min {d ra (t)}- Define S 3 (t) as 

l<n<7V 

S 3 (f) = min (d n (f)}. (19) 

1 <n<N 


Then S(t) < S 3 (t). 
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Let n* be the index of the message chain that has the earliest instance that 
is arriving after £. If Sft) = d n *(t). Then 

d n *ft + Sft)) = T n ,{t + S(t)) 

r n * (t + S(t)) = /*. (t + S(t)) + C*» ft + S(t)) + 1^* ft + Sft)) + C%* ft + S(t)) 
o n *(t + S{t)) = 0. (20) 

All the other components in {D(t+S(t)),R(t+S(t)),0(t+S(t))} do not jump. 
Since there is no change of access to the CAN,the state variable ID ft + S(t)) 
does not jump either. 


3.4 The Timing Model 

Let Sft) = min{Si(t), ^(t), Our timing model integrates both the 

continuous time evolution of the state vector Zft) within [£,£ + Sft)), and 
the discrete jumps at t + Sft). Hence the evolution of the state vector within 
any large time interval [£ a ,£f>] can be obtained by concatenating the evolution 
within individual continuous time interval that belongs to [£ 0 ,£f>]. 

Theorem 1 At any time instant t, given initial values of the state vector 
Zft ) = [D(t), R(t), Oft), ID(t)\ and the parameters of the message chains 
{T n (t + s'), lift + s'),Cl(t + s'), lift + s'), Cl ft + s'), P n ft + s'))n=l for all 
0 < s' < s, there exists a unique vector [Dft + s),R{t + s),Oft + s), ID ft + s)]. 

Proof Based on our previous discussion, we will just construct the unique solu¬ 
tion Zft + s) at any s > 0. We first show that a unique trajectory is generated 
from the continuous evolution of the state vector {Dft), Rft), Oft), ID ft)} from 
£ to any time £ + s where £ + s € [t,t + Sft)). 

For any message chain indexed n, Since d n ft) will continuously decrease as 
time propagate, we have that 

d n ft + s) = d n (t) — s (21) 

Next, we consider the residue r n (t). If the message chain n is at Stages 1, 3, 
4, or 6 then 

r n {t + s) = r n ft) - s. (22) 

If the message chain n is at Stages 2, 5, or 7. Then 

r n (t + s) = r n (t). (23) 

Next, we consider the delay o n ft). If r„ has been processed before £, i.e. r n ft) = 
0, the delay o n ft) will not increase after £. On the other hand, if r n has not 
finished before £, i.e. r n ft) > 0 , the delay o n ft) will continuously increase 
between £ and £ + s. Thus, we have that 


Onft + s) = o n {t) + sgn(r n (£)) s. 


(24) 
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Finally, we consider the index ID(t). It will keep at constant between t and 
t + s since there is no significant moment, i.e. 

ID(t + s)=ID(t). (25) 

We see that all the values in the state vector Z(t + s) are uniquely determined. 

We now show that at a significant moment, the states jump to unique 
values. The possible values for S(t) have been given in equations (Il3l) . (fT71) 
and (fl9l) as Si(t), S^t) and S 3 (t). The possible jumps in the states are given 
by equations m and m- In all cases the states jump to unique values. □ 

Due to the theorem, we can represent the hybrid timing model of the CAN 
based system as 

Z{t + a) = H (Z(t), {T n , II Cl II Cl P n )l =1 (t + s')) (26) 

where the symbol H(-) represents the timing model and {T n , IlCl if. Cf , P n }l=i(t+ 
s') represents the parameters of all tasks at any time t + s' for all 0 < s' < s. 

One immediate benefit of this timing model is a necessary and sufficient 
condition for schedulability of all messages in a finite time window. 

Definition 8 A message chain r„ is instantaneously schedulable on the CAN 
at time t if r n (t) < d n (t). 

If r n is instantaneously schedulable for all time t, then all the deadlines of r„ 
are met, then message r n is schedulable in the usual definition. On the other 
hand, if the message chain r n is schedulable, then all the deadlines of r„ are 
met, which implies that the message chain is instantaneously schedulable for 

all t. 

Corollary 1 A message chain r n is instantaneously schedulable on the CAN 
at time t if r n ((t + S(t))~) < d n ((t + S(t))~). 

Proof Using the dynamic timing model which contains equations cub m 
and dm we must have 

d n ((t + S(t))~) - r n ((t + S(t))~) = d n (t) - S(t) - r n ((t + S(t))~) 

< d n {t) - S(t) - (r n (t) - S(t)) 

= d n (t)-r n (t). (27) 

Hence if r n ((t + S(t))~) < d n ((t + S(t))~), then r n (t) < d n (t). 

Corollary 2 A message chain is schedulable if and only if it is instantaneously 
schedulable at the significant moments. 

Proof Consider the time instants right before the significant moments t + 

S(t). If the message is instantaneously schedulable at these moments, then the 
message chain is instantaneously schedulable at any time t. The entire message 
change is schedulable. If a message chain is not instantaneously schedulable 
at the significant moments, then the message chain is not schedulable. □ 
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4 State Observer 

At each embedded controller node, the hybrid timing model will be used to 
predict delays and timing constraints for MPC. The prediction requires the 
knowledge of the state vector Z(t) = [ D{t),R(t),0(t),ID{t )]. Since the CAN 
uses a broadcast scheme, each embedded controller node will know which mes¬ 
sage is currently being transmitted on the CAN, i.e. the value of ID(t ) can 
be determined. However, the values of the states [D(t), R(t ), 0(t)] may not be 
measured directly. In this section, we will discuss how to estimate the state 
vector [D(t),R(t),0(t)] based on events that can be observed on the CAN. 


4.1 Estimation of [D(t), R(t), 0(t)] 

As discussed in [Di Natale et al. 2012j . CAN chips can generate an interrupt 
whenever a message is received by a node. These interrupts can be pre-handled 
by a dedicated MCU that usually shipped together with CAN chip. Therefore, 
we can easily design an interrupt handler on the host processor of a CAN node 
to observe the receiving times of r\[k\ and r^[fc], which corresponds to /3 n [k\ 
and 7 n [k\ as shown in Figure^] Note that the CAN utilizes a broadcast scheme 
for message transmission. The MPC controller node in each feedback loop 
can not only receive messages within its own control loop, but also messages 
from other feedback control loops. Therefore, each MPC controller node has 
complete information of {8 n [k ], y„ [k] } for all message chains {ti, ■ ■ • , tjv} on 
the CAN. But there is no direct way to measure a n [k\. 

Based on the above observations, we propose an algorithm to estimate the 
value of a n [k) as follows 


a n [k] = min{a„ [k—l]+T n [fe—1], /?„ [k] -C£ [k]-l\[k] } (28) 


where a n [k — 1 ] is the estimate from the previous observations of /3 n [k — 1] 
and 7 n [k — 1]. Each controller node can estimate a n [k\ for all message chains. 
The computation of a n [k] for 1 < n < N at each node is linear with respect 
to the number of control loops. 

At the current time t, given {a n [k]. fi n [k ], 7 „ [k] }, each embedded controller 
node can estimate the state vector {d n (t),d n (t),f n (t)}. The deadline d n (t) is 
estimated as 


d n {t) = a n [k\ + T n [k] - t, 


(29) 


where a n [k] + T n [k} is the time instant when r n [k + 1] starts. The delay o n (t) 
is estimated as 



t — a n [k] 

7 n[k\ - a n [k\ 


if r^[k] NOT received 
if [A;] received 


(30) 
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The delay will not increase if r^[fc] has finished transmission before t. The 
residue r n (t) can be estimated as 

f n (t) = 

( {I^+C^+I^+C^}[k]—mm{t—a n [k], I^[k] }, r^[k] and r^[k] NOT received 
< I^[k]+C^[k]— min{t— /3 n [k],I^[k]}, T l[k] received, [k] NOT received 

[ 0, T h[k] and r%[k\ received 

(31) 

where {I^-\C^+I^C^}[k] is the shorthand notation for Il[k}{Cl[k}+-Il[k\\Cl[k\. 

Whenever a message is received by the controller node, an interrupt func¬ 
tion can be triggered to estimate [d n (t),f n (t),d n (t)\ for n = 1,2,...,TV at 
the moment of reception. Then the state vector [D(t), R(t ), 0(t)] will be con¬ 
structed. The timing model H can then be used to predict the state vectors in 
future times starting from t. 


4.2 Convergence of Estimation 

We show that the estimation [D(t), R(t),0(t)] will have bounded error. The 
error will not increase as time t propagates. 

As we discussed in Equation m, ®. and m, the estimates [D(t), R(t),d(t)] 
are derived from {d n [fc],/3„[/c], 7 „[fc]}^L 1 . Since {/3 n [fc], 7 „[fc]}^_i can be di¬ 
rectly observed from the CAN, the accuracy of estimating [D(t),R(t), 0(t)] is 
actually determined by the accuracy of estimating a n [k]. Define the estimation 
error between a n [k\ and a n [k\ as 

f-n[k] = ot n [k\ — a n [k] for any k > 0 (32) 

Claim The estimation error e n [k\ is non-negative and non-increasing as k 
grows, i.e. 

e„[0] > e„[l] > ■ • • > e n [k] > e n [k + 1] > • • • > 0. (33) 

Proof First, we prove that the estimation error is non-negative, i.e. e n [k\ > 0 
for any k > 0. When multiple message chains {iq, • • • ,tn} are transmitted on 
the CAN, each message may not be transmitted immediately after it is ready. 
Instead, it has to compete with other messages for access to the CAN. Thus, 
we have that 


a n [k] + [, k] < fi n [k ] — Cn [k} for any k > 0 (34) 

where the left hand side represents the time when a message rf [&] is ready for 
transmission, i.e. r n at Stage 2, and the right hand side represents the time 
when Tf[k\ actually starts to transmit on the CAN bus, i.e. T n at the beginning 
of Stage 3. According to Equation (l28l) and (l34ll . we know that 


a n [ 0] = fn [0] - C£[0] - Il[ 0] > a n [0] 


(35) 
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which implies e n [0] > 0. Moreover, we have that 

a n [0] + T n [0] > a n [0] + T n [0] = a n [1]. (36) 

According to Equation (EHl) . we have that 

P n [l}-Cl[l)-Il[l)> an [l] (37) 

Therefore, based on Equation (1251) . (T3TT1) . and 071) . we have that 

d„[l]=min{d„[0]+T n [0], ^ n [l]-C^[l]-I^[l]} > a n [l] (38) 

which implies that e n [l] > 0. By induction, we have shown that e n \k\ > 0 for 
any k > 0. 

Next, we show that the estimation error e n \k\ is non-increasing as k grows, 
i.e. e n [k] > e[k + 1]. According to Equation (1281) . we have that 


a n [k + 1] < a n [k} + T n [ k) (39) 

which implies that 

a n [k + 1] - a n [k] < T n [k] = a n [k + 1] - a n [k] (40) 

Hence, we have that 

a n [k\ - a n [k\ > a n [k + 1] - a n [k + 1] (41) 

Therefore, e[k\ > e[k + 1] for any k > 0 is proved. □ 


The claim implies that the estimation error for the state vector are all 
bounded and the error will never increase. In fact, we have observed in our 
simulations that this error often decreases to zero. But there are cases where 
the error stays as a constant value. 

Using the estimated states, we can also test for instantaneous schedulabil- 
ity by checking the condition r n (t) < d n (t) at the significant moments. The 
following theorem holds. 

Theorem 2 If a task is instantaneously schedulable e.g. r n (t) < d n (t), then 
the estimated states satisfies r n (t) < d n (t). 

Proof According to equation (l29l) . we have 

d n (t) = a n [k] + T n [k] - t 

= a n [k\ + e n [k] + T n [k] - t 
= d n (t) + e n [k\ 

> r n (t) + e n [k]. (42) 

According to (l3ll) . we have 

r n (t) - r n (t) = 

fmin{ t-a n [k], I^[k\ }-min{ t-a n [k ], [k] } r^[k] and r%[k] NOT received 

I 0 otherwise 

(43) 

— a n (t ) = e n [k]. Therefore r n (t ) < 

□ 


which implies that f n (t) — r n (t ) = a n (t) 
d n (t). 
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The above theorem implies that if the message chains are schedulable, then 
the estimated states will never fail the schedulability test. On the other hand, 
suppose we detect that a message chain is not schedulable using the estimated 
states, then the task set must not be schedulable. 

5 MPC Design 

In this section, the MPC design problem proposed in Section [2] will be solved. 
We assume that all the message chains are schedulable. Since each control loop 
is independent, the MPC design for any of the loops can be solved in the same 
way. 

Let us consider the MPC design for the nth feedback loop corresponding 
to the message chain r„. As discussed in Section [?~T1 the value of S n [k\ within 
the prediction horizon is needed for MPC design. The message chain r n has 
K instances that falls within the prediction horizon. Let the indices of these 
instances starts from k and ends at k + K — 1 where K > 1 is an integer. Then 
we need to determine S n [k + j — 1] for j = 1,2,..., K. 

Theorem 3 Suppose all messages are schedulable. Consider the time instants 


j 



(44) 


for j = 1, 2,..., K . Then the delay S n [k + j — 1] can be obtained from the states 
as 


Sn[k+j - 1 ] = Onftj ). 


(45) 


Proof By definition of the state variable o n (t), it represents the time delay 
between the starting time of the active instance of a message chain and the 
time t. If we let t = tj , then o n [t~) is the delay between the starting time 
of the active instance r(tj) and tj. Since all message chains are schedulable, 
the active instance r(tj) would have been processed before tj. Then the delay 
o n (t~ ) is the delay between the starting time and the finishing time of the 
active instance e.g. S n [k + j — 1] = o n (tJ). □ 

Let the current time be t. suppose we have estimated the state vector Z (t) 
by the state observer introduced in Section [4] Then, we will be able to predict 
the future trajectory of Z(t + s ) for all s G [0, T p \ where T p is the length of the 
prediction horizon: 



(46) 


where 0 < s' < s. Using the hybrid timing model H, let t + s = tj for j = 
1 , 2 ,..., AT — 1 . we can perform online prediction of the delay as S n [k + j — 1 ] = 
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o n (tj) according to equation (pfoj) . Due to the fact that a n [k\ > a n [k] , the 
delay based on the estimate o„ may be smaller than the actual delay. 

With the delay S n [k + j — 1] determined for j = 1, 2, K all determined, 
the MPC design problem J 6 |) subject to the constraints J 6 ]a)-(( 6 ]c) is now well 
formulated. The solution of the continuous time MPC problem can be obtained 
using well-known optimization techniques as in |Wang 2009| . The resulting 
piecewise linear control effort is then applied to the plant until the next time 
the controller is triggered. The timing model will be engaged again to predict 
the delays, and then a new piecewise control law will be computed by solving 
the MPC design problem. This process will be iterated. The prediction of 
the delay requires little computing time for the following reasons: ( 1 ) the 
timing model is very simple with linear complexity; ( 2 ) the calculation is only 
performed at the significant moment because the transition between any two 
consecutive moments is continuous and follows the equations in the timing 
model. Hence, the timing model is compatible with the MPC design approach. 


6 Numeric Simulation 

In this section, we use numeric simulations to demonstrate the MPC design 
using the hybrid timing model of the CAN. We show that the timing model is 
preferred even when there exist other simulation tools to generate the timing 
sequences for the message chains. 

The simulation environment for the CAN-based control system is estab¬ 
lished according to Figure [T] To compare with our approach, the CAN in 
Figure [I] is simulated using Truetime (Version 2.0) ICervin et al. 20031 . True¬ 
time is a Matlab/Simulink-based simulator for real-time control system, which 
provides a network block that supports the protocol of the CAN. The True¬ 
time simulation results are used as the ground truth for the timing of message 
chains. 

Our simulation contains three feedback control loops sharing the CAN. 
The plant in each feedback loop is an inverted pendulum model represented 
as follows 


x n (t) = 

0 1' 


' 0 ' 

C-n 

Vn{t) = 

1 0 ] x n (t) 



*(*) 


(47) 


The inverted pendulums in the three feedback control loops have different co¬ 
efficients as [ 01 , 02 , 03 ] = [98,65,44], [ 61 , 62 ,^ 3 ] = [120,52,30] and [ 01 , 02 , 03 ] = 
[20,13,10]. The sensor nodes sample the state of the plants at the time in¬ 
terval of 20 ms, 30 ms, and 40 ms. Each sensor node needs 1 ms to process 
the sampling information and generate a sensor message. The MPC controller 
node in each feedback control loop computes an optimal control signal u n (t) 
that makes the plant output y n {t) track a given reference trajectory 7 n (t) as 
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Sn [fc] 

k=i 

k=2 

II 

CO 

k=4 

n=l 

10 ms 

9 ms 

10 ms 

10 ms 

n=2 

13 ms 

9 ms 

13 ms 

11 ms 

11=3 

21ms 

13 ms 

13 ms 

21 ms 


Table 3: Delays predicted through the hybrid timing model 


close as possible, under the constraint that —4 < u n (t) < 4. The computa¬ 
tion time of an MPC is 2 ms. The actuator node takes action as soon as the 
control message is received from the CAN bus. We assume that sensor and 
control messages have the transmission duration of 3 ms and they are assigned 
unique identifier fields such that the priorities of the message chains satisfy 
Pi[k] < Pi [k\ < P£[k] < [&] < P '3 M < P$[k] which implies that the 

first feedback loop has the highest priority and the third loop has the lowest 
priority. Hence the three message chains transmitted on the CAN have the 
following characteristics 

[Ti ( t ), I\ (t ), Cl (t), I\ (<), Cl (t )] = [20,1, 3, 2, 3] ms 
[T 2 (t), I\ (f), C\ (t), if(t), C\ (*)] =[30,1,3,2,3] ms 
[T 3 (t), 11(4 c£(t), l£(t), Cj(t)\ = [40,1, 3, 2, 3] ms (48) 


6.1 Verification of Hybrid Timing Model 

We first verify the correctness of our proposed timing model by comparing 
the delays predicted through the hybrid timing model with the delay observed 
from the simulation results generated from Truetime. Suppose the message 
chains in Equation (H%1) are being transmitted on the CAN. Figure 0] shows 
the timing of message chains generated by the Truetime simulation. Table [3] 
shows the delays S n [fc] predicted through the hybrid timing model in Equation 
(01)1) and C5l) . In Figure01 the value “0.5”. indicates that the message is ready 
for transmission but blocked by other messages on the CAN bus, the value 
“1” indicates that the message is being transmitted on the CAN bus, and the 
value “0” indicates that the message finishes transmission. 

For illustration, we examine the delay [A] in the third feedback control 
loop. The delays in other feedback control loops can be studied using the ex¬ 
actly same procedure. We know that <$ 3 [fc] is a time interval between the mo¬ 
ment when the sensor take measurements and the moment when the actuator 
take actions. The sensor in the third feedback control loops take measure¬ 
ments at 0 ms, 40 ms, 80 ms, and 120 ms. By closely examining Figure 01 we 
observe that the control message r| in the third feedback control loop finishes 
transmission at 21ms, 53 ms, 92 ms, and 141ms. Therefore, the observation 
of Figure 0 ] shows that the value of <5 3 [fc] is 21ms, 13ms, 12ms, and 21ms, 
for 1 < k < 4. This observation exactly matches the value of <5 3 [A] listed in 
Table [3] Similarly, we can see that the values of (5i [k] and 62 [fc] observed from 
Figure 0 ] also match that listed in Table 01 Therefore, we can claim that the 
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Result from Truetime Simulation 
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Fig. 4: Timing of message chains produced by Truetime simulation 


hybrid timing model can accurately describe the timing of message chains on 
the CAN. 


6.2 Analysis of Computational Cost 

Even though Truetime and other event-based simulation tools are able to gen¬ 
erate the timing sequences of the message chains, running such simulation 
takes significant amount of computation resources. Hence these simulations 
may be too slow for realtime embedded applications. Our timing model is dis¬ 
continuous at limit number of time points, but continuous the rest of time. So, 
running our model only requires significant computation at a small fraction of 
discrete time points, and the system transition between any two consecutive 
discrete time points can be directly derived using mathematical equations. 
This has caused a significant reduction of computing load when compared to 
typical simulation based methods. To verify this computational advantage, we 
evaluate the computational time of generating scheduled behavior in Figure 
U using both the hybrid timing model and Truetime. The experiment is per¬ 
formed on a MacBook computer with Processor 2.26 GHz Intel Core 2 Duo, 
and Memory 4GB 1067MHz DDR3. Since Truetime is written in C++ Mex, 
we also implement the analytical timing model in the same way as Truetime. 
Matlab version 2010Rb and the Trutime Version 2.0 are used for the compari¬ 
son. For each simulation window length that falls within [0, 100]s, we run both 
methods 50 times and then calculate the averaged computation time for each 
method. Fig[5]shows the comparison. The horizontal axis denotes the window 
length used for all simulated scheduled behaviors, and the vertical axis denotes 
the time spent to compute the simulation. In both figures, the computational 
time linearly increases with window length. More importantly, we can see that 
the hybrid timing model is approximately 4000 times faster than Truetime, 
which is a significant improvement for embedded system applications. 
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Computational Complexity of Our Timing Model Computational Complexity of Truetime 



(a) Hybrid Timing Model (b) Truetime Simulation 

Fig. 5: Comparing the time needed to simulating scheduled behaviors. 


6.3 MPC Performance 

We demonstrate the performance of the MPC using the hybrid timing model 
for a CAN-based control system operating in dynamic, uncertain environment. 
Suppose the messages on the CAN are changed at runtime. We consider two 
types of messages adjustments on the CAN within the time interval [1,1.5]s. 
One is the adjustment of the message period as 

[ T 2 (t), T 3 (i) ] = [20,40,50] ms (49) 

The other type of adjustments is the activation of two sporadic messages on 
the CAN, which have the following characteristics 

[T 4 (t), ), Ci(t)\ = [40, 0.2,1,0,0] ms 

[Tb (i), II it ), Cl (t) , J| (t), Cl (t)] = [60,0.2,1,0,0] ms (50) 

The sporadic messages are assigned unique identifier field such that Pslk] < 
Pi[k\ < [k]. Note that since these adjustments happen at runtime, their 
characteristics are not available at the off-line design stage. It is then expected 
that the timing of the message chains will be disturbed and the controller 
performance will be affected. 

We compare two different approaches of designing MPC for the CAN- 
based control system. The two approaches differ in their way of predicting 
5 n [k\. In the first approach, the delay S n [k] is predicted off-line through the 
worst-case analysis discussed in [Tindell and Burns 1994IITindell et al. 19951 
IDavis et al. 2007| . In the second approach, the delay <5„[fc] is predicted online 
through the hybrid timing model. Figure 6 shows the MPC performance of 
three feedback control loops under the above two different approaches. The 
solid line represents the plant output y n {t) and the dashed line represents the 
reference trajectory 7 n (t). The left plots are results of the first approach that 
uses the worst-case response time and the right plots are results of the second 
approach that uses the hybrid timing model. It is obvious that the second 
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(a) The first feedback control loop 




Time-Seconds Time-Seconds 

(b) The second feedback control loop 




(c) The third feedback control loop 


Fig. 6: MPC performance of three feedback control loops, under two design 
approaches 


approach (right plots) gives better performance than the first approach (left 
plots). This is because in the second approach, delays are predicted online using 
the hybrid timing model of the CAN, which can accurately predict delay and 
dynamically compensate for the delay. 

Also, it is worth mentioning that even in the first approach(left plots), 
MPC performance in the first feedback control loop is better than the other 
two loops. This is because the messages in the first feedback control loop are 
assigned the highest priorities among all messages on the CAN. Therefore, the 
difference between the actual delay and the worst-case response time is small 
in the first feedback control loop . Using even the worst-case response time for 
MPC design can still give out the acceptable performance for the first feedback 
control loop. However, such difference in the second and third feedback control 
loop will increases, which leads to the degraded MPC performance. 
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7 Conclusion and Future Work 

The main contribution of this paper is a hybrid timing model for messages 
scheduled on the CAN. We have shown that such timing model enables a model 
predictive control approach on the CAN. It also provides convenient ways to 
check for schedulability of messages. This model may be used for co-design of 
scheduling and MPC for real-time embedded systems on the CAN. Moreover, 
the timing model is a generic mathematical model that can be extended to 
many applications |Wang et al 2013|Wang et al 2015|Wang et al 2015IShi et al 20161 . 
Our simulations show that using the hybrid timing model for MPC can achieve 
improved performance than using worst case timing. Our future work will ex¬ 
tend this hybrid timing model to other real-time communication networks 
that use message priorities for arbitration, for example, the dynamic segment 
of FlexRay |Pop et al. 2008| . 
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